Chinese APT Group 'Thrip' Powers Ahead

A Chinese advanced persistent threat group dubbed Thrip that Symantec researchers uncovered in 2018 has been undeterred by the exposure, attacking at least a dozen organizations in Southeast Asia over the past year, the researchers say in a recent report.

In addition, Symantec researchers found this group using a previously undetected custom backdoor called "Hannotog."

Thrip appears to be part of another nation-state backed hacking gang called Billbug or Lotus Blossom that has been operating in Southeast Asia for the past 10 years, the researchers say.

Persistence

The new report paints a picture of a threat group that is staying focused on its primary targets - including military organizations, satellite communications operators and telecommunications companies in Eastern Asian countries that include Macau, Indonesia, Vietnam, Hong Kong and Malaysia.

"Thrip appears to have continued their attack campaigns, albeit developing and using updated malware tools. We believe the lack of a substantial break in activity can be attributed to a time-sensitive mandate. We do not have insight into Thrip's end goal but are certain it is driven by geo-sensitive matters of national importance."

Custom Backdoor

While Hannotog is a custom backdoor, it is typically executed in environments that leverage a built-in feature of Windows Management Instrumentation, Thakur says.

"Thrip has not only been able to generate a new backdoor in the extremely short run, but also attempted to hide their presence by executing the malicious files in ways that might circumvent some security controls in target networks," Thakur says. "Their intentions remain clear - continue gathering desired information from sensitive networks, whatever the resource requirements may be."

High-Profile Targets

Thrip continues to attack the same types of organizations as when Symantec researchers first discovered the group in June 2018. What caught the researchers' attention last year was the group's targeting of a satellite communications operator,
infecting computers that included software designed to monitor and control satellites.

Attacks on similar companies have continued this year, with one being detected as recently as July, researchers say in the new report.

The 12 attacks that Symantec attributes to Thrip since it was first detected have spanned targets in maritime communications, education and the media in addition to the military and satellite communications, researchers say.

"Thrip seems to be leaning, like most other targeted attacking entities, toward usage of clean tools in-built into the operating system," Thakur says. "This is critical for Thrip as their targets over the past couple years have spanned satellite operators, defense contractors and militaries of countries. Maintaining presence on such sensitive networks requires the attackers to avoid reliance on custom, low-prevalence malicious files. In one sense, Thrip has evolved in their tools and procedures over the past year. Their targets continue to remain high-profile by anyone's standards."

Previously Unseen Backdoor

Symantec researchers uncovered much of Thrip's recent activity after discovering the previously unknown Hannotog backdoor, which they say has been in use since at least January 2017 and was first detected at an organization in Malaysia. The backdoor malware trigged an alert in Symantec's Targeted Attack Analytics technology around suspicious Windows Management Instrumentation activity.

Symantec's researchers then were able to find other organizations attacked by Thrip and track the group's recent activities, according to the report.

Hannotog gives the cybercriminals a persistent presence on the target's network. It has been used with other tools tied to Thrip, including another custom backdoor called Sagerunex that provides remote access and Catchamas, a custom Trojan malware put on selected computers and used to steal information, the researchers say.

The Hannotog backdoor was first detected at an organization in Malaysia. (Image: Symantec)

Billbug Links

Thrip was linked to the hacking group Billbug through the Sagerunex backdoor, which the researchers say seems to have evolved from an older Billbug tool known as Evora. The researchers compared strings and code flow between the two malware tools and found a number of similarities.

Like Thrip, Billbug operates in Southeast Asia. Billbug uses spear-phishing or watering hole attacks to compromise targets, leveraging exploits in Microsoft Office and PDF documents to deploy the malware. Its targets have been primarily governments and military organizations. Based on all the similarities between Thrip and Billbug, the researcher conclude, "in all likelihood, Thrip and Billbug now appear to be one and the same."

Thankur notes: "Knowledge of Thrip being a subgroup of Billbug allows end users the opportunity to understand the superset of targets over a longer period of time, the capabilities and resources available to the overarching group, and the focus of the attacking team as a whole. Ultimately, network defenders can analyze a lot more data to determine the risk Thrip poses to their organization."

About the Author

Burt is a freelance writer based in Massachusetts. He has been covering the IT industry for almost two decades, including a long stint as a writer and editor for eWEEK. Over the past several years, he also has written and edited for The Next Platform, Channel Partners, Channel Futures, Security Now, Data Center Knowledge, ITPro Today and Channelnomics.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;